CVE-2025-10188 is a Cross-Site Request Forgery (CSRF) vulnerability affecting The Hack Repair Guy's Plugin Archiver WordPress plugin, versions up to and including 2.0.4. The vulnerability arises due to missing or incorrect nonce validation in the bulk_remove() function. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from authenticated users. Without proper nonce validation, an attacker can craft a malicious request that, if executed by an authenticated administrator, triggers arbitrary directory deletion within the /wp-content directory of the WordPress installation. This attack requires the attacker to trick an administrator into clicking a specially crafted link or visiting a malicious webpage, leveraging the administrator's authenticated session. The vulnerability does not require the attacker to be authenticated themselves but depends on user interaction by an admin. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. The primary impact is integrity and availability degradation due to arbitrary directory deletion, which can disrupt website functionality and cause data loss. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed and should be considered a risk for affected WordPress sites using this plugin.

For European organizations using WordPress sites with The Hack Repair Guy's Plugin Archiver, this vulnerability poses a risk of unauthorized deletion of plugin or content directories under /wp-content. This can lead to partial or full website outages, loss of critical website data, and potential downtime impacting business operations and reputation. Since WordPress is widely used across Europe for corporate, governmental, and small business websites, the impact can be significant especially for organizations lacking robust backup and recovery procedures. The attack requires an administrator to be tricked, so organizations with less security awareness or insufficient user training are at higher risk. Additionally, organizations that rely on this plugin for content management or archival functions may face operational disruptions. While the vulnerability does not directly expose confidential data, the loss of website availability and integrity can indirectly affect trust and compliance with data protection regulations such as GDPR if services are disrupted.

1. Immediate mitigation involves updating The Hack Repair Guy's Plugin Archiver plugin to a version that patches the CSRF vulnerability once released by the vendor. Since no patch links are currently available, organizations should monitor vendor announcements closely. 2. As a temporary workaround, restrict administrative access to the WordPress backend to trusted IP addresses and enforce multi-factor authentication (MFA) to reduce the risk of compromised admin sessions. 3. Educate administrators about the risks of clicking on unsolicited links or visiting untrusted websites while logged into the WordPress admin panel to reduce the likelihood of successful CSRF attacks. 4. Implement Web Application Firewall (WAF) rules that detect and block suspicious requests targeting the bulk_remove() function or unusual deletion requests within /wp-content. 5. Regularly back up WordPress files and databases, ensuring backups are stored securely and tested for restoration, to minimize damage from potential directory deletions. 6. Conduct security audits and vulnerability scans on WordPress installations to detect outdated plugins and misconfigurations. 7. Consider disabling or removing the vulnerable plugin if it is not essential to reduce the attack surface.